Troubleshoot issues related to managing groups
Users are automatically placed in default groups when you give them access to a cloud app or assign them a new app role. A default group is the main group that grants an app role.
Depending on how your organization set up groups in Atlassian Administration, a user access admin may encounter the following issues when managing users.
If automatic access is enabled for Goals or Projects, you can read about managing and troubleshooting issues related to automatic access specifically.
You can’t configure a default group
Only organization admins have the ability to configure default groups. This means a user access admin can’t make groups default, or remove a group’s default status.
How to resolve this issue
If you are a user access admin who needs to configure a default group, you’ll need to reach out to your organization admin who can do this on your behalf.
You can’t grant app access to a user
User access admins can only grant users access to apps they administer. A user access admin won’t be able to grant access to an app if the app’s default group gives access to other apps they don’t administer.
For example, let’s say the default group for Jira also gives access to Confluence. If you are a user access admin for Jira, you won’t be able to grant users access to Jira unless you are also a user access admin for Confluence. This is because the default group for Jira also gives access to Confluence, an app you don’t administer.
How to resolve this issue
If you are a user access admin experiencing this issue, reach out to your organization admin. An organization admin can either edit the default group for that app or make you a user access admin for the additional apps within the default group.
You can’t remove app access from a user
As mentioned before, a user is automatically placed into a default group when they’re granted access to a cloud app. Depending on how an organization is configured, it’s possible for a user to be placed into multiple groups that provide access to the same app.
For example, a user might be in the default group (Group 1) for Jira as well as another group (Group 2) that also gives access to Jira and Confluence. A user access admin wouldn’t be able to remove app access to Jira from this particular user, because they are also in a group that gives access to Confluence, a app the user access admin doesn’t administer.
How to resolve this issue
The only way to resolve this issue as a user access admin is to remove Jira access from Group 2. Once this has been removed, the user will only have access to Jira via the default group which you are able to update. However, doing this will completely remove access for any Group 2 users without an alternate group that grants access to Jira.
Otherwise, you can reach out to your organization admin. An organization admin can either remove app access for a user themselves or make you a user access admin for the additional apps within the default group.
You can’t remove app access from a provisioned user
User provisioning connects your identity provider with your Atlassian organization through System for Cross-domain Identity Management (SCIM). When you make updates in your identity provider, the users and groups in your Atlassian organization will also be automatically updated.
After an organization admin connects your identity provider to your Atlassian organization, all provisioned users are automatically added to a group.
Learn more about user provisioning
A user access admin may encounter an issue when trying to remove app access from a provisioned user if their SCIM group grants access to that app.
For example, an organization admin has connected Google Workspace to your Atlassian organization. All users within Google Workspace are placed into the same SCIM group which sits within your Atlassian organization.
You’re a user access admin for Jira and you grant the SCIM group access to Jira. You then need to remove access to Jira for one user within the SCIM group.
In order to remove app access for the user, you’ll need to be able to remove them from all groups that grant access to Jira. Because SCIM groups are read-only groups, you can’t remove the user from the SCIM group that grants access to Jira. This means you won’t be able to remove access to Jira for that user because they are part of a SCIM group.
How to resolve this issue
If you are a user access admin experiencing this issue, reach out to your organization admin. An organization admin can use your identity provider to remove a user from the SCIM group. You’ll then be able to add the user to the default group for Jira.
Was this helpful?